A Journey to the Center of the Rustock.B Rootkit
hi
This paper is divided into two main parts. In the first part I wanted to
extract the native Rootkit driver code but without the use of kernel
debuggers or other ring0 tools. The second part covers the extraction over
the last three stages but much faster and with lesser efforts using the
SoftICE debugger. Each part shows various possibilities for solving the
different problems facing the researcher when analyzing Rustock. The
techniques can also be useful in future reversing sessions. All the tools
I’ve used can be found in the references. Some of them are free and
others again are commercial, like IDA Pro. Further all the binary dumps
and IDA .idb files from each stage are included in the package with this
paper. Use caution when reproducing the work described here. Consider
employing a virtual machine like VMware or Virtual PC and perform the
analysis on an isolated network to avoid the damage that could be caused
by the Rootkit. Use at your own risk!
extract the native Rootkit driver code but without the use of kernel
debuggers or other ring0 tools. The second part covers the extraction over
the last three stages but much faster and with lesser efforts using the
SoftICE debugger. Each part shows various possibilities for solving the
different problems facing the researcher when analyzing Rustock. The
techniques can also be useful in future reversing sessions. All the tools
I’ve used can be found in the references. Some of them are free and
others again are commercial, like IDA Pro. Further all the binary dumps
and IDA .idb files from each stage are included in the package with this
paper. Use caution when reproducing the work described here. Consider
employing a virtual machine like VMware or Virtual PC and perform the
analysis on an isolated network to avoid the damage that could be caused
by the Rootkit. Use at your own risk!
link:
note:
plz be cerful this file contains some rootkits for articles......:)
